search

bitrise-steplib / bitrise-step-open-vpn

Bitrise step to establish a VPN connection with the specified OpenVPN server.
MIT License
2 stars 10 forks source link

Step succeeds on macos even when connection to openvpn fails #9

Closed andersonvom closed 1 month ago

andersonvom commented 4 months ago

Troubleshooting

Useful information

Issue description

On macos, the step succeeds even when openvpn fails to connect, misleading users into thinking it actually connected. The connection to openvpn never succeeds, instead it keeps trying to resolve host forever, but since openvpn is running in the background and we don't check for a successful connection, the step incorrectly finishes successfully.

Expected behavior: if connection is not possible, or doesn't succeed after some timeout threshold, the step should fail.

Bitrise info

Step log 
2024-07-05 14:48:16 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-07-05 14:48:16 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-07-05 14:48:16 WARNING: file 'client.key' is group or others accessible
2024-07-05 14:48:16 OpenVPN 2.6.9 aarch64-apple-darwin23.2.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2024-07-05 14:48:16 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-07-05 14:48:16 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-07-05 14:48:16 RESOLVE: Cannot resolve host address: openvpn.dev.example.com:1194 (nodename nor servname provided, or not known)
2024-07-05 14:48:16 RESOLVE: Cannot resolve host address: openvpn.dev.example.com:1194 (nodename nor servname provided, or not known)
2024-07-05 14:48:16 Could not determine IPv4/IPv6 protocol
2024-07-05 14:48:16 SIGUSR1[soft,Could not determine IPv4/IPv6 protocol] received, process restarting
2024-07-05 14:48:16 Restart pause, 1 second(s)
2024-07-05 14:48:17 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-07-05 14:48:17 RESOLVE: Cannot resolve host address: openvpn.dev.example.com:1194 (nodename nor servname provided, or not known)
2024-07-05 14:48:17 RESOLVE: Cannot resolve host address: openvpn.dev.example.com:1194 (nodename nor servname provided, or not known)
2024-07-05 14:48:17 Could not determine IPv4/IPv6 protocol
2024-07-05 14:48:17 SIGUSR1[soft,Could not determine IPv4/IPv6 protocol] received, process restarting
2024-07-05 14:48:17 Restart pause, 2 second(s)
...

Steps to reproduce

  1. Add connect to openvpn step
  2. In my particular case, I also need to provide --tls-crypt-v2 key_file, which the step currently doesn't allow, and it caused the host not to be resolved
  3. Step doesn't check for successful connection, just that the process is still alive, and finished successfully
  4. View contents of step log in subsequent step and/or try to connect to host behind vpn

Please let me know if you need further information.

bitrise-coresteps-bot commented 1 month ago

Hello there, I'm a bot. On behalf of the community I thank you for opening this issue.

To help our human contributors focus on the most relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 90 days, so I marked it as stale.

The community would appreciate if you could check if the issue still persists. If it isn't, please close it. If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me".

If no comment left within 21 days, this issue will be closed.

bitrise-coresteps-bot commented 1 month ago

I'll close this issue as it doesn't seem to be relevant anymore. We believe an old issue probably has a bunch of context that's no longer relevant, therefore, if the problem still persists, please open a new issue.